Andrew Cope

GDPR : The first steps to surviving it

17th August 2017 :: Data Security :: Author: Andrew Cope

The GDPR is an upgrade to the UK Data Protection Act and is very likely to affect you and your business next year.

We're talking to our customers and putting plans in place between now and March 2018 to secure the data behind their bespoke systems and websites.

Any data, like email addresses, names, and postcodes, is personal and appropriate policies and procedures for storing and managing this data need to be in place.

A Secure Certificate

The first step is to make sure that the data can't be intercepted by anyone as it moves across the internet. If a website or web application doesn't use an SSL or Secure Certificate, all information that passes between the web server and your computer is sent in plain text. That makes it too easy to read and abuse any intercepted information using a simple man-in-the-middle attack or over a public wifi connection.

Secure Certificates are the solution and are very cheap these days. They encrypt the data before sending it over the internet where is decrypted safely at the other end.

So when you're next typing in your email address and password into your web browser, have a quick look at the web address. Does it have a green padlock and "https" at the start of the address? The "s" stands for secure and if it's not there, think very hard about continuing. Perhaps contact the owner of the website and ask them why it's not secure.

 

What Next?

The next step is to look at how the information is stored on the server. This is unlikely to be visible to you as the subscriber to a software-as-a-service (saas) website, but if you run an e-commerce shop or store personal data in your own CRM, have a think about what is being held.

When we talk to our customers we are making sure that they are only storing the information that is necessary to trade and provide a service. Sometimes the solution is as simple as removing data that hasn't been used for a while. This, of course, will vary depending on what the data is used for. It's perfectly reasonable to keep enough information about someone if you are using that information for marketing purposes, but if you don't need it why keep all the details of a shop order from 2008?

And do you need to keep so much detail? Maiden name, marital status, and gender might have been easy to capture when the person became a member of your organisation, but is it necessary now?

The key to this is having the tools at hand to manage the data effectively. Will you be able to remove someone's data from all your records if and when they ask?

Get in touch for a chat

Let's continue the conversation. Give us a call to see how we can help. We can offer some expert consultancy and work with your staff to make sure they understand how the GDPR will affect the way they look after your customers' personal information.